Greg Shipley, founder of Neohapsis, wrote an article in Information Week magazine, this time about how ineffective most of the money spent on security defenses is against the attacks we’re facing. It’s not a short article, but as I’ve said before, Shipley is always worth reading. Here’s what I found most interesting in the article:

“Deficiencies, even in our security technologies, are an unfortunate fact of life,” says Shipley.

Layered security actually increases the risk. Due to the complexity and the variety of vendors and technology at each layer, employees spend a lot of time maintaining those layers (and then punching holes through them so that the business can function); the truly strategic work waits for later. [Don’t forget about all the time auditors spend learning about and reviewing those complex layers.]

54% of the malware noted in the recent Verizon/U.S. Secret Service study was either a custom job or modified; in other words, they were altered to defeat the security defenses that most businesses use (which is why the malware made the survey and got studied).

When sophisticated attackers use sophisticated attacks, many controls that company compliance count on are rendered incompetent.

Vulnerability assessment tools are falling behind because they can’t keep up the pace of new issues. According to 2 Neohapsis security consultants, in “the best cases, the tools were in the 20% to 30% effectiveness range.”

Databases are the biggest targets, but are given minimal protection.

If companies would realize how ineffective their controls and defenses are, they would quickly change course.

IT departments need to stop paying for ineffective technologies and demand better. Security vendors don’t innovate because it’s not required (which is the same way that management often views security spending).

Positioning a web application firewall (WAF) in front of assets buys a little time, according to Shipley, but “it isn’t going to mitigate enough risk.”